Solved

Hacked - need info

Posted on 2002-05-13
6
171 Views
Last Modified: 2010-04-13
below is a snippet of my logs.  i believe somebody is trying to hack into my server.  i'm not sure if it succeeded or not.

my server is deny them access to the files requested by reporting error 404.  what is error 500?

what about the default.ida?  what is an ida file?

thanks.

~~~~~~

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2002-05-09 06:11:49
#Fields: time c-ip cs-method cs-uri-stem sc-status
06:13:41 202.98.62.200 GET /scripts/root.exe 404
06:13:42 202.98.62.200 GET /MSADC/root.exe 404
06:13:44 202.98.62.200 GET /c/winnt/system32/cmd.exe 404
06:13:44 202.98.62.200 GET /d/winnt/system32/cmd.exe 404
06:13:46 202.98.62.200 GET /scripts/..%5c../winnt/system32/cmd.exe 404
06:13:46 202.98.62.200 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
06:13:47 202.98.62.200 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
06:13:47 202.98.62.200 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 500
06:13:48 202.98.62.200 GET /scripts/..Á../winnt/system32/cmd.exe 404
06:13:48 202.98.62.200 GET /scripts/winnt/system32/cmd.exe 404
06:13:49 202.98.62.200 GET /winnt/system32/cmd.exe 404
06:13:49 202.98.62.200 GET /winnt/system32/cmd.exe 404
06:13:51 202.98.62.200 GET /scripts/..%5c../winnt/system32/cmd.exe 404
06:13:51 202.98.62.200 GET /scripts/..%5c../winnt/system32/cmd.exe 404
06:13:52 202.98.62.200 GET /scripts/..%5c../winnt/system32/cmd.exe 404
06:13:52 202.98.62.200 GET /scripts/..%2f../winnt/system32/cmd.exe 404
08:23:22 202.111.154.51 GET /default.ida 200
0
Comment
Question by:jchew
  • 3
  • 2
6 Comments
 

Author Comment

by:jchew
ID: 7005994
btw, just fyi, i'm using Windows 2000 professional with IIS. i constantly check for updates at the ms update site and have applied all the latest SPs
0
 
LVL 32

Accepted Solution

by:
jhance earned 50 total points
ID: 7006037
This is the NIMDA probing your system.  But you're mostly OK.  If the response is 4XX or 500, it's a FAILURE and nothing happened.

But you have the default.ida in place:

>>>08:23:22 202.111.154.51 GET /default.ida 200

FIX THIS NOW.  You don't need this file anyway, just DELETE it.

Be sure you are up to date on all Microsoft HotFixes for your version of Windows.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7006498
I agree with jhance.  The fact that your server returned 200 for default.ida is a BAD thing.  This just looks like a probe, if the log entry had looked like this:

08:23:22 202.111.154.51 GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 200


Then you might have a serious problem.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Author Comment

by:jchew
ID: 7007520
i tried the following

http://my.server/default.ida

and got the following reply

The IDQ file default.ida could not be found.

does this mean i'm safe?  i have updated my win2k with all the ms critical updates.

btw, can you please tell me what is an ida file?

thanks.
0
 
LVL 32

Expert Comment

by:jhance
ID: 7007566
It's a sample file that is included with IIS.  It is NOT needed for normal IIS web site operations and it is a known security risk.  Delete the file and be safe.
0
 

Author Comment

by:jchew
ID: 7007602
thanks for the info...
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
After-hours service is a fact of life for most MSPs. While not the most pleasant aspect of the job, there are ways to make after-hours servicing a more profitable and organized enterprise.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question